--- /dev/null
+From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:37 -0700
+Subject: Input: rmi4 - fix bit count in bitmap_copy()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
+
+bitmap_copy() takes number of bits, not bytes (or longs). Correct
+the bit count in rmi_driver_set_irq_bits() and
+rmi_driver_clear_irq_bits().
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc
+ __func__);
+ goto error_unlock;
+ }
+- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
+- data->num_of_irq_regs);
+
++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
+ bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
+
+ error_unlock:
+@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str
+ __func__);
+ goto error_unlock;
+ }
+- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
+- data->num_of_irq_regs);
++
++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
+
+ error_unlock:
+ mutex_unlock(&data->irq_mutex);
--- /dev/null
+From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:35 -0700
+Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
+
+kfifo_put() returns 0 if the FIFO is full. In this case, we must
+free the memory allocated for the attention data to avoid a leak.
+
+Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device
+ attn_data.size = size;
+ attn_data.data = fifo_data;
+
+- kfifo_put(&drvdata->attn_fifo, attn_data);
++ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
++ dev_warn_ratelimited(&rmi_dev->dev,
++ "Failed to enqueue attention data, FIFO full\n");
++ kfree(fifo_data);
++ }
+ }
+ EXPORT_SYMBOL_GPL(rmi_set_attn_data);
+
--- /dev/null
+From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:34 -0700
+Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
+
+RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
+may overflow num_subpackets in struct rmi_register_desc_item which is
+defined as a u8.
+
+Fix this by changing the type of num_subpackets to u16.
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.h | 2 +-
+ drivers/input/rmi4/rmi_f12.c | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.h
++++ b/drivers/input/rmi4/rmi_driver.h
+@@ -53,7 +53,7 @@ struct pdt_entry {
+ struct rmi_register_desc_item {
+ u16 reg;
+ unsigned long reg_size;
+- u8 num_subpackets;
++ u16 num_subpackets;
+ unsigned long subpacket_map[BITS_TO_LONGS(
+ RMI_REG_DESC_SUBPACKET_BITS)];
+ };
+--- a/drivers/input/rmi4/rmi_f12.c
++++ b/drivers/input/rmi4/rmi_f12.c
+@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func
+ f12->data1 = item;
+ f12->data1_offset = data_offset;
+ data_offset += item->reg_size;
++
++ if (item->num_subpackets > 255) {
++ dev_err(&fn->dev, "Too many fingers declared: %d\n",
++ item->num_subpackets);
++ return -EINVAL;
++ }
++
+ sensor->nbr_fingers = item->num_subpackets;
+ sensor->report_abs = 1;
+ sensor->attn_size += item->reg_size;
--- /dev/null
+From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:31 -0700
+Subject: Input: rmi4 - fix register descriptor address calculation
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
+
+When reading the register descriptor, the base address is incremented by
+1 to read the presence register block. However, after reading the
+presence register block, the address is incorrectly incremented by only
+1 byte (++addr) instead of the actual size of the presence block
+(size_presence_reg). This causes the subsequent structure block read to
+read from the wrong memory location if the presence block is larger than
+1 byte.
+
+Fix this by advancing the address by size_presence_reg.
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de
+ ret = rmi_read_block(d, addr, buf, size_presence_reg);
+ if (ret)
+ return ret;
+- ++addr;
++ addr += size_presence_reg;
+
+ if (buf[0] == 0) {
+ presense_offset = 3;
--- /dev/null
+From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:33 -0700
+Subject: Input: rmi4 - fix type overflow in register counts
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
+
+The number of registers in the RMI4 register descriptor is populated
+by counting the bits in the presence map using bitmap_weight(). Since
+the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
+storing this count in a u8 can overflow to 0 if all 256 bits are set.
+
+Change the num_registers field in struct rmi_register_descriptor
+from u8 to u16 to prevent potential integer overflow and ensure safe
+processing of devices reporting large descriptors.
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.h
++++ b/drivers/input/rmi4/rmi_driver.h
+@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
+ struct rmi_register_descriptor {
+ unsigned long struct_size;
+ unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
+- u8 num_registers;
++ u16 num_registers;
+ struct rmi_register_desc_item *registers;
+ };
+
--- /dev/null
+From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:36 -0700
+Subject: Input: rmi4 - iterative IRQ handler
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
+
+The current IRQ handler uses recursion to drain the attention FIFO,
+which can lead to stack overflow on deep queues. Convert it to a
+loop.
+
+Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
+ struct rmi4_attn_data attn_data = {0};
+ int ret, count;
+
+- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
+- if (count) {
+- *(drvdata->irq_status) = attn_data.irq_status;
+- drvdata->attn_data = attn_data;
+- }
++ do {
++ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
++ if (count) {
++ *drvdata->irq_status = attn_data.irq_status;
++ drvdata->attn_data = attn_data;
++ }
+
+- ret = rmi_process_interrupt_requests(rmi_dev);
+- if (ret)
+- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
+- "Failed to process interrupt request: %d\n", ret);
++ ret = rmi_process_interrupt_requests(rmi_dev);
++ if (ret)
++ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
++ "Failed to process interrupt request: %d\n",
++ ret);
+
+- if (count) {
+- kfree(attn_data.data);
+- drvdata->attn_data.data = NULL;
+- }
+-
+- if (!kfifo_is_empty(&drvdata->attn_fifo))
+- return rmi_irq_fn(irq, dev_id);
++ if (count) {
++ kfree(attn_data.data);
++ drvdata->attn_data.data = NULL;
++ }
++ } while (!kfifo_is_empty(&drvdata->attn_fifo));
+
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From 7d8bf3d8f91073f4db347ed3aa6302b56107499c Mon Sep 17 00:00:00 2001
+From: Ruslan Valiyev <linuxoid@gmail.com>
+Date: Tue, 17 Mar 2026 17:05:44 +0000
+Subject: media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si
+
+From: Ruslan Valiyev <linuxoid@gmail.com>
+
+commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream.
+
+syzbot reported a general protection fault in
+vidtv_psi_ts_psi_write_into [1].
+
+vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does
+not check for this before dereferencing the returned pointer to access
+the continuity counter. This leads to a general protection fault when
+accessing a near-NULL address.
+
+The root cause is that vidtv_mux_pid_ctx_init() does not check the
+return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs.
+If the allocation fails, the PID context is never created, but init
+returns success. The subsequent vidtv_mux_push_si() call then gets
+NULL from vidtv_mux_get_pid_ctx() and crashes.
+
+Fix both the root cause (add error check in vidtv_mux_pid_ctx_init
+for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for
+all vidtv_mux_get_pid_ctx() calls.
+
+[1]
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events vidtv_mux_tick
+RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197
+Call Trace:
+ <TASK>
+ vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline]
+ vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231
+ vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196
+ vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408
+
+Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
+Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_mux.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c
+@@ -101,7 +101,8 @@ static int vidtv_mux_pid_ctx_init(struct
+ /* add a ctx for all PMT sections */
+ while (p) {
+ pid = vidtv_psi_get_pat_program_pid(p);
+- vidtv_mux_create_pid_ctx_once(m, pid);
++ if (!vidtv_mux_create_pid_ctx_once(m, pid))
++ goto free;
+ p = p->next;
+ }
+
+@@ -170,6 +171,9 @@ static u32 vidtv_mux_push_si(struct vidt
+ nit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_NIT_PID);
+ eit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_EIT_PID);
+
++ if (!pat_ctx || !sdt_ctx || !nit_ctx || !eit_ctx)
++ return 0;
++
+ pat_args.offset = m->mux_buf_offset;
+ pat_args.continuity_counter = &pat_ctx->cc;
+
+@@ -186,6 +190,8 @@ static u32 vidtv_mux_push_si(struct vidt
+ }
+
+ pmt_ctx = vidtv_mux_get_pid_ctx(m, pmt_pid);
++ if (!pmt_ctx)
++ continue;
+
+ pmt_args.offset = m->mux_buf_offset;
+ pmt_args.pmt = m->si.pmt_secs[i];
xhci-fix-memory-leak-regression-when-freeing-xhci-vd.patch
af_unix-reject-siocatmark-on-non-stream-sockets.patch
regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch
+input-rmi4-fix-register-descriptor-address-calculation.patch
+input-rmi4-fix-type-overflow-in-register-counts.patch
+input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
+input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
+input-rmi4-iterative-irq-handler.patch
+input-rmi4-fix-bit-count-in-bitmap_copy.patch
+vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
+media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch
+virtiofs-fix-uaf-on-submount-umount.patch
--- /dev/null
+From a287620312dc6dcb9a093417a0e589bf30fcf38a Mon Sep 17 00:00:00 2001
+From: Yi Yang <yiyang13@huawei.com>
+Date: Thu, 4 Jun 2026 06:07:34 +0000
+Subject: vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
+
+From: Yi Yang <yiyang13@huawei.com>
+
+commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream.
+
+A KASAN null-ptr-deref was observed in vcs_notifier():
+
+BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130
+Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {}
+
+The issue is a race condition in vcs_write(). When the console_lock is
+temporarily dropped (to copy data from userspace), the vc_data pointer
+obtained from vcs_vc() may become stale. After re-acquiring the lock,
+vcs_vc() is called again to re-validate the pointer. If the vc has been
+deallocated in the meantime, vcs_vc() returns NULL, and the while loop
+breaks (with written > 0). However, after the loop, vcs_scr_updated(vc)
+is still called with the now-NULL vc pointer, leading to a null pointer
+dereference in the notifier chain (vcs_notifier dereferences param->vc).
+
+Fix this by adding a NULL check for vc before calling vcs_scr_updated().
+
+Fixes: 8fb9ea65c9d1 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yi Yang <yiyang13@huawei.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vc_screen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -699,7 +699,7 @@ vcs_write(struct file *file, const char
+ }
+ *ppos += written;
+ ret = written;
+- if (written)
++ if (written && vc)
+ vcs_scr_updated(vc);
+
+ unlock_out:
--- /dev/null
+From 06b41351779e9289e8785694ade9042ae85e41ea Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 28 May 2026 10:58:24 +0200
+Subject: virtiofs: fix UAF on submount umount
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 06b41351779e9289e8785694ade9042ae85e41ea upstream.
+
+iput() called from fuse_release_end() can Oops if the super block has
+already been destroyed. Normally this is prevented by waiting for
+num_waiting to go down to zero before commencing with super block shutdown.
+
+This only works, however, for the last submount instance, as the wait
+counter is per connection, not per superblock.
+
+Revert to using synchronous release requests for the auto_submounts case,
+which is virtiofs only at this time.
+
+Reported-by: Aurélien Bombo <abombo@microsoft.com>
+Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Cc: Greg Kurz <gkurz@redhat.com>
+Closes: https://github.com/kata-containers/kata-containers/issues/12589
+Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kurz <gkurz@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/file.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -358,8 +358,14 @@ void fuse_file_release(struct inode *ino
+ * aio and closes the fd before the aio completes. Since aio takes its
+ * own ref to the file, the IO completion has to drop the ref, which is
+ * how the fuse server can end up closing its clients' files.
++ *
++ * Exception is virtio-fs, which is not affected by the above (server is
++ * on host, cannot close open files in guest). Virtio-fs needs sync
++ * release, because the num_waiting mechanism to wait for all requests
++ * before commencing with fs shutdown doesn't work if submounts are
++ * used.
+ */
+- fuse_file_put(ff, false);
++ fuse_file_put(ff, ff->fm->fc->auto_submounts);
+ }
+
+ void fuse_release_common(struct file *file, bool isdir)
projects / thirdparty / kernel / stable-queue.git / commitdiff
